Its useful to disable ICMP reply sometimes on Linux, especially if you have to deal with abusive script kiddies trying to DoS your host using ICMP Ping flood. Though ICMP Ping Flood is no longer so used as it used to be in past still there are some malicious users trying to use it to revenge a company for being mis-treated or simply because someone paid them to do financial loss to a company through DDoS-ing there internet portal or whatever …
From position of system administrator implementing a tiny one liner iptables rule protects severely against basic ICMP Ping Flood, the rule will not be hard to pass by experienced attacker but still will stop a lot of shit ICMP traffic:
Here is rule:
fw-server:~# iptables -I INPUT -j DROP -p icmp --icmp-type echo-request
Sometimes its necessary Filter IPs of certain hosts trying to DoS you to do so:
fw-server:~# iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP -p icmp --icmp-type echo-request
To disable ICMP ping requests on IPv6 protocol:
fw-server:~#ip6tables -I INPUT -p icmpv6 --icmp-type 8 -j DROP
Note that above firewall rule does not drop all ICMP requests (as there are ICMP requests) necessary for standard TCP/IP or UDP applications to properly operate, but it DROPs packets of ICMP type (echo request).
If later its necessary to temporary enable ping on server quickest way is to FLUSH all INPUT chain temporary, i.e.:
fw-server:~# iptables -F INPUT
Whether necessary to just delete the PING echo-request DROP rule one can also use:
fw-server:~# iptables --list
and
fw-server:~# iptables -D INPUT 10
Here 10 number is the number of line number where DROP icmp rule is showing.
Well that's it now your server will be a bit more secure 😉 Enjoy
More helpful Articles
Tags: Flood Denial of Service, ICMP, ICMP Ping flood, ICMP traffic, iptables
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Another good example script on how to filter ICMP filtering is here http://www.pc-freak.net/files/icmp-filtering-with-iptables.txt
View CommentView Comment